IdentityServer4 IdentityServer3.AccessTokenValidation
IdentityServer4 IdentityServer3.AccessTokenValidation
祝大家新年快乐...
我配置了一个 IdentityServer4,我可以成功进行 ASP.net Core web api 调用。
但是对于 asp.net framework 4.5.2 web apis,
我从 .NET 框架 Web api 收到 {"Response status code does not indicate success: 401 (Unauthorized)."} 错误。想请教大家的帮助和意见。
我用 IS4 搜索了主题,找到了一些关于 IdentityServer3.AccessTokenValidation 兼容性的条目。根据回复,我加载了一个签名证书并调用了 AddSigningCredential 而不是 AddTemporarySigninCredential。 x509certificate 是本地创建的证书。我将 IdentityServer3.AccessTokenValidation 版本更新为 v2.13.0.
我仍然遇到错误。
感谢任何帮助。
问候并感谢您的巨大努力。
IdentityServer 4 端:
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services
.AddIdentityServer()
//.AddTemporarySigningCredential()
.AddSigningCredential(x509Certificate)
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddAspNetIdentity<ApplicationUser>();
}
Config.cs
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("AuthorizationWebApi","Authorization Web API .NET Core"),
new ApiResource("AuthorizationWebApiNetFramework","Authorization Web API NET Framework"),
new ApiResource("api1", "Empty Test Api")
};
}
public static IEnumerable<Client> GetClients()
{
return new List<Client> {
new Client {
ClientId = "silicon",
ClientName = "console app",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = { new Secret("abcdef".Sha256())},
AllowedScopes = new List<string>{
"AuthorizationWebApiNetFramework"
}
},
new Client
{
ClientId = "MYUX",
ClientName = "MYUX MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequireConsent = false,
ClientSecrets= {new Secret("abcdef".Sha256()) },
RedirectUris = { "http://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = {"http://localhost:5002"},
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"custom.profile",
"AuthorizationWebApi",
"AuthorizationWebApiNetFramework"
},
AllowOfflineAccess = true
}
};
}
.NET Framework APİ 端
public void Configuration(IAppBuilder app)
{
//ConfigureAuth(app);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "http://www.abcdefgh.com:5000",
ValidationMode = ValidationMode.ValidationEndpoint,
RequiredScopes = new[] { "AuthorizationWebApiNETFramework" }
});
//configure web api
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
//require authentication for all controllers
config.Filters.Add(new AuthorizeAttribute());
app.UseWebApi(config);
}
主叫方:
try
{
ViewData["Message"] = "Authorization Test.";
var accessToken = await HttpContext.Authentication.GetTokenAsync("access_token");
var authorizationApiClient = new HttpClient();
authorizationApiClient.SetBearerToken(accessToken);
var content = await authorizationApiClient.GetStringAsync("http://localhost:13243/values");
return View();
}
catch (Exception ex)
{
throw;
}
或通过控制台应用程序...
try
{
// discover endpoints from metadata
var disco = await DiscoveryClient.GetAsync("http://www.abcdefgh.com:5000");
var tokenClient = new TokenClient(disco.TokenEndpoint, "silicon", "abcdef");
var tokenResponse = await tokenClient.RequestClientCredentialsAsync("AuthorizationWebApiNetFramework");
if (tokenResponse.IsError)
{
Console.WriteLine(tokenResponse.Error);
return;
}
Console.WriteLine(tokenResponse.Json);
var client = new HttpClient();
client.SetBearerToken(tokenResponse.AccessToken);
var response = await client.GetAsync("http://localhost:13243/values");
if (!response.IsSuccessStatusCode)
{
Console.WriteLine(response.StatusCode);
}
else
{
var content = await response.Content.ReadAsStringAsync();
Console.WriteLine(JArray.Parse(content));
}
}
catch (Exception)
{
throw;
}
编辑: 在 4.5.2 Api 方面:我注释掉了这一行
验证模式 = ValidationMode.ValidationEndpoint。我按照 IS3 文档添加了这一行。谢谢大家。
删除 Web API 访问令牌验证中间件中的以下行。
ValidationMode = ValidationMode.ValidationEndpoint
结果应如下所示:
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "http://www.abcdefgh.com:5000",
RequiredScopes = new[] { "AuthorizationWebApiNETFramework" }
});
就我而言,我启用了以下日志:https://identityserver.github.io/Documentation/docsv2/consuming/diagnostics.html
By default Katana uses the TraceSource mechanism in .NET for logging. Add the following snippet to your config file to enable logging to a file:
<system.diagnostics>
<trace autoflush="true" />
<sources>
<source name="Microsoft.Owin">
<listeners>
<add name="KatanaListener" />
</listeners>
</source>
</sources>
<sharedListeners>
<add name="KatanaListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="katana.trace.log"
traceOutputOptions="ProcessId, DateTime" />
</sharedListeners>
<switches>
<add name="Microsoft.Owin"
value="Verbose" />
</switches>
</system.diagnostics>
然后我在 WebAPI 文件夹日志文件中看到了根本原因 "katana.trace.log":
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed
System.IO.FileLoadException: Could not load file or assembly 'Newtonsoft.Json, Version=8.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
File name: 'Newtonsoft.Json, Version=8.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed'
at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.<ReceiveAsync>d__1.MoveNext()
at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[TStateMachine](TStateMachine& stateMachine)
at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.ReceiveAsync(AuthenticationTokenReceiveContext context)
at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()
我将 Newtonsoft.Json 从 6.0 升级到 9.01 后,它起作用了。
祝大家新年快乐...
我配置了一个 IdentityServer4,我可以成功进行 ASP.net Core web api 调用。 但是对于 asp.net framework 4.5.2 web apis, 我从 .NET 框架 Web api 收到 {"Response status code does not indicate success: 401 (Unauthorized)."} 错误。想请教大家的帮助和意见。
我用 IS4 搜索了主题,找到了一些关于 IdentityServer3.AccessTokenValidation 兼容性的条目。根据回复,我加载了一个签名证书并调用了 AddSigningCredential 而不是 AddTemporarySigninCredential。 x509certificate 是本地创建的证书。我将 IdentityServer3.AccessTokenValidation 版本更新为 v2.13.0.
我仍然遇到错误。 感谢任何帮助。
问候并感谢您的巨大努力。
IdentityServer 4 端: Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services
.AddIdentityServer()
//.AddTemporarySigningCredential()
.AddSigningCredential(x509Certificate)
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddAspNetIdentity<ApplicationUser>();
}
Config.cs
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("AuthorizationWebApi","Authorization Web API .NET Core"),
new ApiResource("AuthorizationWebApiNetFramework","Authorization Web API NET Framework"),
new ApiResource("api1", "Empty Test Api")
};
}
public static IEnumerable<Client> GetClients()
{
return new List<Client> {
new Client {
ClientId = "silicon",
ClientName = "console app",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = { new Secret("abcdef".Sha256())},
AllowedScopes = new List<string>{
"AuthorizationWebApiNetFramework"
}
},
new Client
{
ClientId = "MYUX",
ClientName = "MYUX MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequireConsent = false,
ClientSecrets= {new Secret("abcdef".Sha256()) },
RedirectUris = { "http://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = {"http://localhost:5002"},
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"custom.profile",
"AuthorizationWebApi",
"AuthorizationWebApiNetFramework"
},
AllowOfflineAccess = true
}
};
}
.NET Framework APİ 端
public void Configuration(IAppBuilder app)
{
//ConfigureAuth(app);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "http://www.abcdefgh.com:5000",
ValidationMode = ValidationMode.ValidationEndpoint,
RequiredScopes = new[] { "AuthorizationWebApiNETFramework" }
});
//configure web api
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
//require authentication for all controllers
config.Filters.Add(new AuthorizeAttribute());
app.UseWebApi(config);
}
主叫方:
try
{
ViewData["Message"] = "Authorization Test.";
var accessToken = await HttpContext.Authentication.GetTokenAsync("access_token");
var authorizationApiClient = new HttpClient();
authorizationApiClient.SetBearerToken(accessToken);
var content = await authorizationApiClient.GetStringAsync("http://localhost:13243/values");
return View();
}
catch (Exception ex)
{
throw;
}
或通过控制台应用程序...
try
{
// discover endpoints from metadata
var disco = await DiscoveryClient.GetAsync("http://www.abcdefgh.com:5000");
var tokenClient = new TokenClient(disco.TokenEndpoint, "silicon", "abcdef");
var tokenResponse = await tokenClient.RequestClientCredentialsAsync("AuthorizationWebApiNetFramework");
if (tokenResponse.IsError)
{
Console.WriteLine(tokenResponse.Error);
return;
}
Console.WriteLine(tokenResponse.Json);
var client = new HttpClient();
client.SetBearerToken(tokenResponse.AccessToken);
var response = await client.GetAsync("http://localhost:13243/values");
if (!response.IsSuccessStatusCode)
{
Console.WriteLine(response.StatusCode);
}
else
{
var content = await response.Content.ReadAsStringAsync();
Console.WriteLine(JArray.Parse(content));
}
}
catch (Exception)
{
throw;
}
编辑: 在 4.5.2 Api 方面:我注释掉了这一行 验证模式 = ValidationMode.ValidationEndpoint。我按照 IS3 文档添加了这一行。谢谢大家。
删除 Web API 访问令牌验证中间件中的以下行。
ValidationMode = ValidationMode.ValidationEndpoint
结果应如下所示:
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "http://www.abcdefgh.com:5000",
RequiredScopes = new[] { "AuthorizationWebApiNETFramework" }
});
就我而言,我启用了以下日志:https://identityserver.github.io/Documentation/docsv2/consuming/diagnostics.html
By default Katana uses the TraceSource mechanism in .NET for logging. Add the following snippet to your config file to enable logging to a file:
<system.diagnostics>
<trace autoflush="true" />
<sources>
<source name="Microsoft.Owin">
<listeners>
<add name="KatanaListener" />
</listeners>
</source>
</sources>
<sharedListeners>
<add name="KatanaListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="katana.trace.log"
traceOutputOptions="ProcessId, DateTime" />
</sharedListeners>
<switches>
<add name="Microsoft.Owin"
value="Verbose" />
</switches>
</system.diagnostics>
然后我在 WebAPI 文件夹日志文件中看到了根本原因 "katana.trace.log":
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed
System.IO.FileLoadException: Could not load file or assembly 'Newtonsoft.Json, Version=8.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
File name: 'Newtonsoft.Json, Version=8.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed'
at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.<ReceiveAsync>d__1.MoveNext()
at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[TStateMachine](TStateMachine& stateMachine)
at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.ReceiveAsync(AuthenticationTokenReceiveContext context)
at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()
我将 Newtonsoft.Json 从 6.0 升级到 9.01 后,它起作用了。